FIFA hacked: further embarrassment for football's governing body

The computer systems of FIFA have been hacked once again and the football federation is braced for more damaging leaks of confidential information.

FIFA officials have admitted the hack and expect that a series of stories will promptly be published based on a set of internal documents that were originally obtained by the website Football Leaks in 2015.

The governing body issued a statement condemning "any attempts to compromise the confidentiality, integrity and availability of data in any organisation using unlawful practices." FIFA president Gianni Infantino told the Associated Press that media outlets had contacted the organisation about leaked information they had received.

“I mean, if I just have to stay in my room and not speak to anyone and cannot do anything, how can I do my job properly? So if then this is being portrayed as something bad, I think there’s not much I can do more than my job in an honest way, in a professional way and trying to defend the interests of football."

A phishing campaign is the suspected cause of the hack, which FIFA claims occurred in March, just months after it was the victim of another major cyberattack, which led Russian hacking group Fancy Bears to leak details of failed drug tests by footballers.

Preventative measures

Tim Sadler, the co-founder and CEO of email security startup Tessian said the hack appears to be the result of a classic phishing scam that duped an unassuming employee.

"Within an organisation that employs thousands of individuals like FIFA, there are thousands of human vulnerabilities for attackers to target and exploit and huge swathes of highly valuable data to exfiltrate," he said.

"To minimise the risk of falling victim to this phishing attack – and any other kind of phishing scam – it is important that FIFA's employees are sceptical and vigilant.

"In other words, they should expect to be targeted by fraudsters and respond by treating any request for information or payment in their inbox as suspicious, particularly in the aftermath of this breach.

"It is also important that staff are trained on the characteristics of a phishing scam, how they operate and how they can financially and reputationally impact their organisation.

"However, as FIFA have been hacked twice this year, and strong-form impersonation phishing scams are on the rise and proving increasingly effective, vigilance alone is not enough."

Sadler argued that the best means of defence was using machine learning tools that analyse patterns of behaviour in emails and spotting anomalies that suggest an attempted compromise.

Tony Pepper, CEO of Egress Software, echoed Sadler's calls for mitigating such risks through the use of machine learning and expressed sympathy for Infantino's defence.

"When questioned about the breach, the FIFA President explained that exchanging documents, drafts and ideas is core to his job, and I think we can all relate," said Pepper.

"Very little data actually just stays in a database or on a single server anymore. When sharing documents containing sensitive information, the first thing that should be done is to encrypt emails and attachments in transit and at rest in the mailbox, and add multi-factor authentication and policy controls when additional security is also required.

"This particular data breach highlights the need for enterprises to review the protections they are putting around unstructured data, especially within emails, meaning that if such sensitive information falls into the wrong hands, the risks of it being exposed is mitigated.

"Regardless, it’s another example of the risks enterprises are facing; they must review their cybersecurity procedures to ensure this does not happen again."

Simple changes

Simon McCalla, CTO of Nominet, added that simple changes to processes and systems backed up by training and education may have prevented the breach.

"To reduce the risk of users clicking on the 'near to' domains used - such as replacing john@fifa.com with john@fi-fa.com - deploying a robust anti-phishing system will absolutely help, but you can’t rely on defence systems alone," he said.

"It's important to educate users on the dangers of phishing and how to spot suspicious emails too. It’s also essential to instil a culture of security, where staff are encouraged and enabled to check anything that they’re not sure about.

"Perhaps the most interesting aspect of this hack is that FIFA acknowledged they 'had been unable to find traces of a hack in its computer systems'. This speaks volumes about how hard it is to detect data exfiltration techniques, which are often obfuscated to hide in the massive flows of traffic that leave organisations such as FIFA daily.

"Stricter rules, like GDPR in the UK, would have also expedited the disclosure of the breach thus prompting extra care from businesses."

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.